SSH PrivX OT recognition highlights PAM gaps in secure OT access

At a glance

What this is: This is a vendor recognition story about secure OT access and PAM, with the key finding that distributed industrial environments are being evaluated on zero-trust-style remote access, just-in-time connectivity, and compatibility with legacy systems.

Why it matters: It matters because OT, NHI, and human privileged access programmes increasingly converge on the same control problem: how to reduce standing access without breaking operations, auditability, or plant uptime.

By the numbers:

• 25% of Fortune 100 companies rely on SSH’s solutions.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read SSH Communications Security’s analysis of PrivX OT recognition and PAM

Context

Secure remote access for OT and ICS is no longer a niche infrastructure problem. It is a privileged access governance problem where browser-based access, just-in-time connectivity, and protocol mediation must coexist with legacy control systems and distributed sites. The article sits squarely in the secure remote access and PAM category, with direct implications for critical infrastructure and industrial identity governance.

The practitioner question is whether OT access platforms are actually reducing standing privilege, or simply wrapping older access patterns in a more modern interface. That matters for both human admins and service-led operational access, because the same trust assumptions about session control, approval, and auditability are under pressure in industrial environments.

For teams building converged identity programmes, the important signal is not the analyst ranking itself but the pattern it reflects: OT access is being pulled into the same zero trust and lifecycle governance expectations as broader privileged access. That makes the article relevant to PAM, NHI governance, and industrial IAM operating models at the same time.

Key questions

Q: How should security teams govern just-in-time access in OT environments?

A: Security teams should govern just-in-time access as a session lifecycle control, not as a one-time authentication event. The key is to define who can request access, how approval is recorded, when access expires, and how teardown is verified across the exact OT protocols in use. Without that closure, JIT becomes a time-limited credential rather than a governed control.

Q: Why do legacy industrial systems complicate zero trust access models?

A: Legacy industrial systems complicate zero trust because they were built for stable connectivity, not continuous policy enforcement or per-session identity checks. Many OT assets cannot support modern federation or fine-grained authorization directly, so teams rely on brokers and gateways. That shifts trust to the access layer, which must be governed as carefully as the asset itself.

Q: What do teams get wrong about browser-based access for OT?

A: Teams often assume browser-based access is inherently safer, when the real question is whether the broker enforces policy at the protocol level. A browser front end can reduce direct exposure, but it does not automatically solve over-privilege, weak logging, or poor teardown. The access architecture still needs session control, review, and revocation evidence.

Q: How should organisations decide whether OT PAM controls are mature enough?

A: Organisations should judge OT PAM maturity by whether access can be granted, monitored, and removed without manual exceptions. If the programme cannot prove who approved access, what protocols were used, and whether privileges ended on time, it is still relying on standing trust. Mature controls produce auditability as well as operational continuity.

Technical breakdown

Just-in-time access in OT remote sessions

Just-in-time access in OT means privileges are created for a specific session or task, then removed when the task ends. In industrial environments, that pattern is often used to reduce standing privileged access while preserving the ability to reach PLCs, HMIs, and other legacy assets through a controlled gateway. The technical challenge is that OT often mixes modern identity checks with older protocols and devices that were never designed for modern federation or fine-grained authorization. Practical implication: treat JIT as a session-control pattern, not as a substitute for lifecycle governance or device-level hardening.

Practical implication: Use JIT to narrow session exposure, but verify that access removal and audit trails still work across every OT protocol path.

Browser-based access and protocol mediation

Browser-based access changes the trust boundary by placing an access broker between the operator and the industrial target. Instead of exposing the asset directly, the broker terminates the session, applies policy, and relays only approved commands or file transfers. That architecture can reduce direct credential handling and make remote access easier to audit, but it also concentrates control in the mediation layer. Practical implication: inspect whether the broker actually enforces protocol-specific controls, or only presents the appearance of central governance.

Practical implication: Validate that the mediation layer logs, filters, and segregates OT commands rather than simply proxying them.

Legacy OT compatibility and zero trust access

Legacy OT compatibility is where many access programmes fail, because zero trust principles depend on continuous verification while industrial systems often depend on stable connections and deterministic operations. When a platform claims zero-trust-type capabilities for OT, the important technical question is how it handles identity, session boundaries, and file transfer without disrupting plants or field operations. This is less about branding and more about whether access policies can be enforced without changing the underlying industrial estate. Practical implication: map zero trust controls to each protocol, site, and operator class before deployment.

Practical implication: Test policy enforcement against the exact OT protocols and site workflows you run, not against generic remote access assumptions.

Breaches seen in the wild

• BeyondTrust API key breach — compromised BeyondTrust API key led to unauthorized SaaS access.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

OT privileged access is becoming an identity governance problem, not just a connectivity problem. The article shows how secure remote access for industrial environments now sits at the intersection of PAM, zero trust, and legacy operational constraints. That combination matters because the access path itself is the control plane for critical infrastructure, manufacturing, energy, and defense operations. Practitioners should stop treating OT remote access as a separate niche and govern it as part of the wider identity perimeter.

Just-in-time connectivity only works if the access lifecycle is actually closed at session end. In OT, the value proposition is reduced standing privilege and narrower exposure windows, but those benefits disappear if approvals, revocation, and audit are inconsistent across sites or protocols. The control gap is not the feature set, it is whether the access model can prove when privilege begins and ends. Practitioners should measure session closure as rigorously as session start.

Protocol mediation creates a new trust anchor that must be governed like any other privileged control point. Browser-based access and secure file transfer are attractive because they reduce direct exposure to legacy assets, but they also centralize enforcement and logging in the mediation layer. That makes the broker a high-value governance object for PAM teams, not just an implementation detail. Practitioners should treat the mediation layer as part of the privilege estate, not as a convenience layer.

Industrial access modernization is accelerating convergence between human admin access and NHI-style service access. The same operational estate often contains engineers, vendors, automation jobs, and system-to-system workflows, each with different assurance needs but similar blast-radius concerns. That convergence pushes identity teams toward shared lifecycle, review, and session governance models. Practitioners should align OT access policy with the broader identity programme instead of maintaining separate exceptions forever.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, according to Ultimate Guide to NHIs.
• For the market view on where NHI tooling is heading, see Ultimate Guide to NHIs , The NHI Market.

What this signals

Browser-mediated OT access is now part of the broader privileged identity surface. Teams should expect PAM and zero trust controls to be judged on whether they can govern session start, protocol mediation, and teardown with the same rigor they apply in enterprise admin access. The operational question is no longer whether OT needs identity controls, but whether those controls can survive contact with legacy protocols and distributed sites.

Industrial access programmes need a single policy model for human operators, vendors, and machine-led workflows. Where third-party access already touches NHIs, the governance model must account for ownership, approval, and revocation across the whole access chain. A useful reference point is the OWASP Non-Human Identity Top 10, especially where over-privilege and exposed credentials intersect with remote access.

Quantitatively, the access problem is still wider than most programmes admit. With 97% of NHIs carrying excessive privileges according to Ultimate Guide to NHIs, industrial teams should assume that any access path not explicitly bounded will drift toward standing privilege. That is why lifecycle controls and access reviews now matter as much in OT as they do in cloud estates.

For practitioners

• Map OT access paths to privilege boundaries Inventory every remote access path into industrial systems, including browser-based sessions, vendor support flows, and protocol relays. Assign an owner to each path and define where authentication ends and privileged session control begins.
• Verify session teardown across legacy protocols Test whether just-in-time access is actually revoked when the task ends, especially where older OT protocols, jump hosts, or file-transfer workflows are involved. Require logs that show both grant and closure events for each session.
• Treat the broker as a privileged control point Apply the same review discipline to the mediation layer that you would apply to a PAM vault or bastion host. Review policy changes, command filtering, and audit log integrity as part of standard privileged access governance.
• Unify OT and enterprise access reviews Bring OT admins, third-party maintainers, and platform operators into the same recertification process where possible. The goal is to reduce exceptions, make access ownership visible, and avoid permanently standing industrial access.

Key takeaways

• Secure OT access is an identity governance issue because remote sessions become the control point for critical infrastructure.
• Just-in-time access only reduces risk when the programme can prove grant, monitoring, and revocation across legacy OT paths.
• Identity teams should govern the broker, the session, and the lifecycle together, or OT access will remain effectively standing privilege.

Key terms

• Just-in-Time Access: Just-in-time access is a privilege model that grants credentials or session rights only for the duration of a specific task. In OT, it should be tied to a clearly recorded operator request, approved scope, and verified teardown so access does not linger after the work is complete.
• Protocol Mediation: Protocol mediation is the use of an access layer that terminates one side of a session and relays approved actions to the target system. In industrial environments, it allows security policy to sit between the user and the asset, but it also creates a control point that must be audited and protected.
• Privileged Access Management: Privileged Access Management is the governance discipline for high-risk access, including who can obtain it, how it is approved, and how it is monitored or revoked. In OT, PAM must account for legacy systems, vendor support paths, and operational continuity, not just credential checkout.
• Zero Trust Access: Zero trust access is an identity model that requires continuous verification rather than assuming trust based on network location or prior authentication. In OT, the model is difficult because many assets were not built for continuous checks, so the access broker often becomes the place where policy is enforced.

Deepen your knowledge

OT access governance and just-in-time privilege are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for industrial environments with legacy protocols and remote operators, it is worth exploring.

This post draws on content published by SSH Communications Security: SSH PrivX OT recognition in KuppingerCole’s 2025 Secure OT Access Report. Read the original.